18.4. Avoiding Injection Attacks

A number of years ago, shortly after I began running websites on my own Xserve, I sat down at my computer one day to find my inbox full of complaints that my server had been sending out spam. I thought that I ran a pretty tight ship, so I was shocked and appalled to learn that someone had indeed found a way to hijack my server (a Mac, no less!) to send tons of junk mail. Of the 10,000 messages this hacker had attempted to send, about 3,000 got through before I discovered what was happening and blocked it.

When I investigated what had gone wrong, I found that I'd been the victim of a type of exploit known as an injection attack. An injection attack occurs when someone feeds a program a type of data that it wasn't expecting, and because of bugs, quirks, or unwise assumptions in the underlying code, it treats that unexpected data in an undesirable (but predictable) way. Although injection attacks take many forms, the variety I encountered that day — which is extremely common — involved a form on my site that let visitors send me feedback by email. What was supposed to happen was that the form took the information, such as the sender's email address and the message content, and then fed it to a simple PHP script, which in turn mailed it to me. But the attacker found a way to insert huge amounts of specially formatted data (including hundreds of email addresses) in those fields, and because my script made the naïve assumption that all input would be ...

Get Mac® Security Bible now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.